Setting up proper security in Oracle EPM Cloud Services ensures each user has the right role for access to data and features in the system. You can implement security through a combination of roles and assignment of privileges. In this blog post, we'll go over the highlights of security and roles in NetSuite Planning and Budgeting Cloud (PBCS).

About the EPM Cloud Predefined Roles

Most Oracle EPM Cloud services use a common set of predefined functional service roles to control access to service environments. These predefined roles are Service Admistrator, Power User, User, and Viewer.

Service Administrator

Service Administrator performs all administrative and functional activities and is responsible for configuring application level security for Planning application.

Power User

Power User can view and interact with the data. This role is typically granted to department heads and business unit managers. A Power User can perform the following tasks:

  • Creates and maintains forms, task lists, ad hoc grids, and reports.
  • Creates and manages user variables but cannot delete them.
  • Views substitution variables.
  • Controls the approvals process.
  • Loads data using data forms and Data Management.


User, formerly known as Planner, can perform the following tasks:

  • Enters and submits data for approval, analyzes forms using ad hoc features, and drills through to the source system.
  • Accesses and modifies all financial reports for which the user has been granted access to.


Viewer views and analyzes data through forms and ad hoc grids but cannot enter data in the system. This role is typically assigned to executives who need to view business plans during the budgeting process.

Predefined roles are hierarchical. Access granted through lower-level roles is inherited by higher-level roles. For example, Service Administrators inherit the privileges of power user, user, and viewer. Power Users inherit the privileges of User and Viewer. And Users inherit the privileges of Viewer.

Except for the Service Administrator, all predefined roles are affected by the Apply Security option at the dimension level in PBCS. When the Apply Security option is disabled, users assigned to predefined roles can access and write data to dimension members. We recommend that you enable the Apply Security option at the dimension level to enforce security.

About the Identity Domain Administrator Role

In addition to the functional roles, EPM Cloud services use the Identity Domain Administrator role to perform identity domain management tasks. The Identity Domain Administrator can create and manage users, assign their roles, configure single sign-on, set up network restricted access through My Services.

Note that Identity Domain Administrator is not a funtional role; it does not inherit access privileges granted through functional roles. To access service features, the Identity Domain Administrator must be granted one of the four functional roles.

An Identity Domain Administrator can create other Identity Domain Administrators. Having multiple Identity Domain Administrators ensures seamless operation in case an Identity Domain Administrator becomes unavailable.

Creating Users

  1. Sign into My Services as an Identity Domain Administrator.
  2. In the Navigation panel, click Users.

3.  On Users tab, click Add.

4.  In Add User window, enter user information and select/remove roles using the arrows. Click Add to create the new user.

5.  You can also update roles of a user. On Users tab, click Action (the vertical ellipsis) and select Manage Roles.

6.  In Manage Roles window, select the roles you want to assign to/remove from the user using the arrows. Click Save.

Want to Learn More?

If you would like a free consultation please contact Gerard at Redhill Business Analytics via email or the contact form below.